Add default firewall configuration

This is a working configuration from a deployment. It needs to be
generalised in order to work on other deployments.

Author: markgoddard

etc/kayobe/compute.yml

@@ -125,23 +125,41 @@
 ###############################################################################
 # Compute node firewalld configuration.
 
+# FIXME: Replace concrete names (provision_oc) with abstract net names ({{
+# provision_oc_net_name }}).
+
 # Whether to install and enable firewalld.
-#compute_firewalld_enabled:
+compute_firewalld_enabled: true
 
 # A list of zones to create. Each item is a dict containing a 'zone' item.
-#compute_firewalld_zones:
+compute_firewalld_zones:
+  - zone: provision_oc
+  - zone: storage
+  - zone: tunnel
 
 # A firewalld zone to set as the default. Default is unset, in which case the
 # default zone will not be changed.
-#compute_firewalld_default_zone:
+# FIXME: Try setting to drop
+compute_firewalld_default_zone: trusted
 
 # A list of firewall rules to apply. Each item is a dict containing arguments
 # to pass to the firewalld module. Arguments are omitted if not provided, with
 # the following exceptions:
 # - offline: true
 # - permanent: true
 # - state: enabled
-#compute_firewalld_rules:
+compute_firewalld_rules:
+  - service: ssh
+    zone: provision_oc
+  - service: dhcpv6-client
+    state: disabled
+    zone: public
+  - service: ssh
+    state: disabled
+    zone: public
+  # GENEVE
+  - port: 6081/udp
+    zone: tunnel
 
 ###############################################################################
 # Compute node host libvirt configuration.

etc/kayobe/controllers.yml

@@ -134,23 +134,66 @@
 ###############################################################################
 # Controller node firewalld configuration.
 
+# FIXME: Replace concrete names (provision_oc) with abstract net names ({{
+# provision_oc_net_name }}).
+
 # Whether to install and enable firewalld.
-#controller_firewalld_enabled:
+# FIXME: Disable by default?
+controller_firewalld_enabled: true
 
 # A list of zones to create. Each item is a dict containing a 'zone' item.
-#controller_firewalld_zones:
+# FIXME: Filter out duplicates and unset networks?
+controller_firewalld_zones:
+  - zone: external
+  - zone: mgmt_wl
+  - zone: provision_oc
+  - zone: provision_wl
+  - zone: public
+  - zone: storage
+  - zone: tunnel
 
 # A firewalld zone to set as the default. Default is unset, in which case the
 # default zone will not be changed.
-#controller_firewalld_default_zone:
+# FIXME: Try setting to drop
+controller_firewalld_default_zone: trusted
 
 # A list of firewall rules to apply. Each item is a dict containing arguments
 # to pass to the firewalld module. Arguments are omitted if not provided, with
 # the following exceptions:
 # - offline: true
 # - permanent: true
 # - state: enabled
-#controller_firewalld_rules:
+# FIXME: Add all services, add conditionals, filter out unused
+controller_firewalld_rules:
+  - service: ssh
+    zone: provision_oc
+  - service: dhcp
+    zone: provision_wl
+  - service: ntp
+    zone: provision_wl
+  - service: tftp
+    zone: provision_wl
+  - port: 8089/tcp
+    zone: provision_wl
+  - service: dhcpv6-client
+    state: disabled
+    zone: public
+  - service: ssh
+    state: disabled
+    zone: public
+  # Designate
+  - port: 53/tcp
+    zone: public
+  - port: 53/udp
+    zone: public
+  # Designate AXFR
+  - port: 5354/tcp
+    zone: public
+  - port: 5354/udp
+    zone: public
+  # GENEVE
+  - port: 6081/udp
+    zone: tunnel
 
 ###############################################################################
 # Controller node swap configuration.

etc/kayobe/inventory/group_vars/ansible-control/infra-vm

@@ -0,0 +1,33 @@
+---
+###############################################################################
+# Infrastructure VM node firewalld configuration.
+
+# FIXME: Replace concrete names (provision_oc) with abstract net names ({{
+# provision_oc_net_name }}).
+
+# Whether to install and enable firewalld.
+infra_vm_firewalld_enabled: true
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+infra_vm_firewalld_zones:
+  - zone: mgmt_oc
+  - zone: mgmt_wl
+  - zone: provision_oc
+  - zone: public
+  - zone: switch_mgmt
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+infra_vm_firewalld_default_zone: drop
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+infra_vm_firewalld_rules:
+  - service: ssh
+    zone: provision_oc
+  - service: ssh
+    zone: switch_mgmt

etc/kayobe/inventory/group_vars/wazuh-manager/infra-vm

@@ -0,0 +1,43 @@
+---
+###############################################################################
+# Infrastructure VM node firewalld configuration.
+
+# FIXME: Replace concrete names (provision_oc) with abstract net names ({{
+# provision_oc_net_name }}).
+
+# Whether to install and enable firewalld.
+infra_vm_firewalld_enabled: true
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+infra_vm_firewalld_zones:
+  - zone: provision_oc
+  - zone: public
+  - zone: switch_mgmt
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+infra_vm_firewalld_default_zone: drop
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+infra_vm_firewalld_rules:
+  - service: ssh
+    zone: provision_oc
+  - port: 1514/tcp
+    zone: provision_oc
+  - port: 1514/udp
+    zone: provision_oc
+  - port: 1515/tcp
+    zone: provision_oc
+  - port: 443/tcp
+    zone: public
+  - port: 9200/tcp
+    zone: provision_oc
+  - port: 9300-9400/tcp
+    zone: provision_oc
+  - port: 55000/tcp
+    zone: provision_oc

etc/kayobe/kolla/globals.yml

@@ -49,3 +49,6 @@ prometheus_instance_label: "{% raw %}{{ ansible_facts.hostname }}{% endraw %}"
 # in Yoga. This is required to include a valid value for the flavor_id label on
 # openstack_nova_server_status metrics.
 prometheus_openstack_exporter_compute_api_version: "2.1"
+
+# Open up ports in firewalld for services on the public API network.
+enable_external_api_firewalld: true

etc/kayobe/seed-hypervisor.yml

@@ -117,6 +117,8 @@
 ###############################################################################
 # Seed hypervisor node firewalld configuration.
 
+# FIXME: Add some seed hypervisor rules?
+
 # Whether to install and enable firewalld.
 #seed_hypervisor_firewalld_enabled:
 

etc/kayobe/seed.yml

@@ -155,23 +155,64 @@ seed_extra_containers: {}
 ###############################################################################
 # Seed node firewalld configuration.
 
+# FIXME: Replace concrete names (provision_oc) with abstract net names ({{
+# provision_oc_net_name }}).
+
 # Whether to install and enable firewalld.
-#seed_firewalld_enabled:
+seed_firewalld_enabled: true
 
 # A list of zones to create. Each item is a dict containing a 'zone' item.
-#seed_firewalld_zones:
+seed_firewalld_zones:
+  - zone: mgmt_oc
+  - zone: provision_oc
+  - zone: public
+  - zone: switch_mgmt
 
 # A firewalld zone to set as the default. Default is unset, in which case the
 # default zone will not be changed.
-#seed_firewalld_default_zone:
+seed_firewalld_default_zone: drop
 
 # A list of firewall rules to apply. Each item is a dict containing arguments
 # to pass to the firewalld module. Arguments are omitted if not provided, with
 # the following exceptions:
 # - offline: true
 # - permanent: true
 # - state: enabled
-#seed_firewalld_rules:
+seed_firewalld_rules:
+  - service: ssh
+    zone: provision_oc
+  - service: dhcp
+    zone: provision_oc
+  - service: tftp
+    zone: provision_oc
+  - service: ntp
+    zone: provision_oc
+  - service: ntp
+    zone: switch_mgmt
+  # Pulp server
+  - service: http
+    zone: provision_oc
+  - service: squid
+    zone: provision_oc
+  # Ironic inspector API
+  - port: 5050/tcp
+    zone: provision_oc
+  # Ironic API
+  - port: 6385/tcp
+    zone: provision_oc
+  # nginx
+  - port: 8080/tcp
+    zone: provision_oc
+  # Disable default services in public zone
+  - service: dhcpv6-client
+    state: disabled
+    zone: public
+  - service: ssh
+    state: disabled
+    zone: public
+  # Redfish exporter
+  - port: 9610/tcp
+    zone: provision_oc
 
 ###############################################################################
 # Seed node swap configuration.

etc/kayobe/storage.yml

@@ -130,23 +130,42 @@
 ###############################################################################
 # Storage node firewalld configuration.
 
+# FIXME: Replace concrete names (provision_oc) with abstract net names ({{
+# provision_oc_net_name }}).
+
 # Whether to install and enable firewalld.
-#storage_firewalld_enabled:
+storage_firewalld_enabled: true
 
 # A list of zones to create. Each item is a dict containing a 'zone' item.
-#storage_firewalld_zones:
+storage_firewalld_zones:
+  - zone: internal
+  - zone: provision_oc
+  - zone: storage
 
 # A firewalld zone to set as the default. Default is unset, in which case the
 # default zone will not be changed.
-#storage_firewalld_default_zone:
+# FIXME: Try setting to drop
+storage_firewalld_default_zone: trusted
 
 # A list of firewall rules to apply. Each item is a dict containing arguments
 # to pass to the firewalld module. Arguments are omitted if not provided, with
 # the following exceptions:
 # - offline: true
 # - permanent: true
 # - state: enabled
-#storage_firewalld_rules:
+storage_firewalld_rules:
+  - service: ssh
+    zone: provision_oc
+  - port: 9283/tcp
+    zone: provision_oc
+  - service: ssh
+    zone: storage
+    state: disabled
+  - service: ceph
+    zone: storage
+  - service: ceph-mon
+    zone: storage
+    state: "{{ 'enabled' if 'mons' in group_names else 'disabled' }}"
 
 ###############################################################################
 # Storage node swap configuration.